Cloudflare Access not working on sub-sub-domains

mearman · January 9, 2020, 10:06am

Just set up Cloudflare Access and it’s working very nicely but only for one access policy.

On Cloudflare I have SSL/TLS mode to full, redirect to HTTPS enabled and HSTS on.

So, I have proxied A records for a.domain.com, a.a.domain.com, b.a.domain.com and c.a.domain.com all pointing at primary-ip.

I originally had the sub-sub domains as CNAME records pointing at a.domain.com with a wildcard but I’ve moved to explicitly defining the records, to remove any possible issues.

Now, I have Access policies for a.mydomain.com as well as the sub-sub domains.

At primary-ip I have Nginx Proxy Manager generating Let's Encrypt certs for the sub and sub-sub domains individually, enforcing SSL and redirecting the traffic to my internal devices.

To the crux of my issue. For some reason Cloudflare Access works perfectly on a.domain.com but on *.a.domain.com I don’t even get directed to the authentication page and Chrome gives me ERR_SSL_VERSION_OR_CIPHER_MISMATCH.

I’ve pinged the *.a.domain.com sub-sub-domains and they are being proxied… So I’m stumped as to what is wrong…

domjh · January 9, 2020, 10:38am

Hi @mearman,

This looks to me to be an SSL/TLS issue rather than an issue with Access.

mearman · January 9, 2020, 10:39am

Hmm, but that wouldn’t explain why I’m not getting direct to the Access authentication page on the sub-sub domains would it?

mearman · January 9, 2020, 10:41am

Also the certificates for a.domain.com and the *.domain.com domains are being generated exactly the same way.

Just for clarity, I’m not trying to generate a wildcard certificate. Just several sub-sub-domain certificates.

domjh · January 9, 2020, 10:53am

Are you using Cloudflare’s Universal SSL certificate, or a dedicated certificate? The Universal or $5 dedicated certs only cover *.domain.com, not *.sub.domain.com. So I would not expect

to work.

If you are redirecting to HTTPS, I believe the SSL error will occur before Access kicks in.

mearman · January 9, 2020, 11:17am

I’m generating specific sub-sub-domain certificates on the host. Not wildcard certificates.

domjh · January 9, 2020, 11:19am

Which is fine, and you do need the certs on your server, but that doesn’t affect the certificate on Cloudflare’s proxies which will only cover *.domain.com unless you have a dedicated certificate.

mearman · January 9, 2020, 11:20am

Hmm, good point.

I’ll push everything up so it’s just sub-domains rather than sub-sub-domains and test.

mearman · January 9, 2020, 11:51am

Ok, problem solved I think.

Cloudflare SSL/TLS set to flexible but with Always Use HTTPS redirect turned on. Though I may switch that to a page-rule for the subdomains.

Proxied A record for sub.domain.com.
Proxied CNAME records for a, b and c.domain.com that point to sub.domain.com.

Cloudfare Access records set up for a, b, c and sub.domain.com.

NGINX running at sub.domain.com with no SSL which is proxying for a, b, c and sub.domain.com.